Is reCaptcha compatible with iFrames?
I'm evaluating moving 3rd party JavaScripts into sandboxed iFrames in order not allow them access to main page data. So if 3rd party script is compromised, only data in the iFrame could be stolen.
One of the flows we want to move are the auth form. Right now, we have a javascript with Google reCaptcha that triggers the logging flow against our servers. I thought on moving the whole form and reCaptcha js into a sandboxed iFrame. This way I can isolate reCaptcha javascript from the rest of the page. Login should be done inside the iFrame and in some way, this iFrame will send the cookies or the session to the main page.
Do you think it is a valid scenario? My major concern is if reCaptcha script will work into a sandboxed iFrame.
Let me include 2 scenarios designs.
Scenario 1:
- reCaptcha is isolated into an iFrame. Once reCaptcha is resolved it passes the the recaptcha key to the parent frame and it is set on the form. One way to do this is by postMessage API.
- This way, reCaptcha code has not access even to the auth form.
Scenario 2(if scenario 1 is not valid):
- The whole auth form is isolated into an iFrame. In this case reCaptcha code has access to the login form, but not the whole pages.
Scenario 1
Scenario 2
For both scenarios, after submiting the form with the reCaptcha key, should provide a way to pass the cookies or the needed keys to the main page without reloading itself. This could be achieved by postMessage too.
Regards,
javascript iframe recaptcha
asked Nov 13 '18 at 10:55
Jose MoyanoJose Moyano
111
add a comment |
I'm evaluating moving 3rd party JavaScripts into sandboxed iFrames in order not allow them access to main page data. So if 3rd party script is compromised, only data in the iFrame could be stolen.
One of the flows we want to move are the auth form. Right now, we have a javascript with Google reCaptcha that triggers the logging flow against our servers. I thought on moving the whole form and reCaptcha js into a sandboxed iFrame. This way I can isolate reCaptcha javascript from the rest of the page. Login should be done inside the iFrame and in some way, this iFrame will send the cookies or the session to the main page.
Do you think it is a valid scenario? My major concern is if reCaptcha script will work into a sandboxed iFrame.
Let me include 2 scenarios designs.
Scenario 1:
- reCaptcha is isolated into an iFrame. Once reCaptcha is resolved it passes the the recaptcha key to the parent frame and it is set on the form. One way to do this is by postMessage API.
- This way, reCaptcha code has not access even to the auth form.
Scenario 2(if scenario 1 is not valid):
- The whole auth form is isolated into an iFrame. In this case reCaptcha code has access to the login form, but not the whole pages.
Scenario 1
Scenario 2
For both scenarios, after submiting the form with the reCaptcha key, should provide a way to pass the cookies or the needed keys to the main page without reloading itself. This could be achieved by postMessage too.
Regards,
javascript iframe recaptcha
asked Nov 13 '18 at 10:55
Jose MoyanoJose Moyano
111
add a comment |
I'm evaluating moving 3rd party JavaScripts into sandboxed iFrames in order not allow them access to main page data. So if 3rd party script is compromised, only data in the iFrame could be stolen.
One of the flows we want to move are the auth form. Right now, we have a javascript with Google reCaptcha that triggers the logging flow against our servers. I thought on moving the whole form and reCaptcha js into a sandboxed iFrame. This way I can isolate reCaptcha javascript from the rest of the page. Login should be done inside the iFrame and in some way, this iFrame will send the cookies or the session to the main page.
Do you think it is a valid scenario? My major concern is if reCaptcha script will work into a sandboxed iFrame.
Let me include 2 scenarios designs.
Scenario 1:
- reCaptcha is isolated into an iFrame. Once reCaptcha is resolved it passes the the recaptcha key to the parent frame and it is set on the form. One way to do this is by postMessage API.
- This way, reCaptcha code has not access even to the auth form.
Scenario 2(if scenario 1 is not valid):
- The whole auth form is isolated into an iFrame. In this case reCaptcha code has access to the login form, but not the whole pages.
Scenario 1
Scenario 2
For both scenarios, after submiting the form with the reCaptcha key, should provide a way to pass the cookies or the needed keys to the main page without reloading itself. This could be achieved by postMessage too.
Regards,
javascript iframe recaptcha
asked Nov 13 '18 at 10:55
Jose MoyanoJose Moyano
111
I'm evaluating moving 3rd party JavaScripts into sandboxed iFrames in order not allow them access to main page data. So if 3rd party script is compromised, only data in the iFrame could be stolen.
One of the flows we want to move are the auth form. Right now, we have a javascript with Google reCaptcha that triggers the logging flow against our servers. I thought on moving the whole form and reCaptcha js into a sandboxed iFrame. This way I can isolate reCaptcha javascript from the rest of the page. Login should be done inside the iFrame and in some way, this iFrame will send the cookies or the session to the main page.
Do you think it is a valid scenario? My major concern is if reCaptcha script will work into a sandboxed iFrame.
Let me include 2 scenarios designs.
Scenario 1:
- reCaptcha is isolated into an iFrame. Once reCaptcha is resolved it passes the the recaptcha key to the parent frame and it is set on the form. One way to do this is by postMessage API.
- This way, reCaptcha code has not access even to the auth form.
Scenario 2(if scenario 1 is not valid):
- The whole auth form is isolated into an iFrame. In this case reCaptcha code has access to the login form, but not the whole pages.
Scenario 1
Scenario 2
For both scenarios, after submiting the form with the reCaptcha key, should provide a way to pass the cookies or the needed keys to the main page without reloading itself. This could be achieved by postMessage too.
Regards,
javascript iframe recaptcha
javascript iframe recaptcha
asked Nov 13 '18 at 10:55
Jose MoyanoJose Moyano
111
asked Nov 13 '18 at 10:55
Jose MoyanoJose Moyano
111
asked Nov 13 '18 at 10:55
Jose MoyanoJose Moyano
111
asked Nov 13 '18 at 10:55
Jose MoyanoJose Moyano
111
asked Nov 13 '18 at 10:55
Jose MoyanoJose Moyano
111
111
add a comment |
add a comment |
0
active
oldest
votes
Your Answer
StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53279455%2fis-recaptcha-compatible-with-iframes%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53279455%2fis-recaptcha-compatible-with-iframes%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
